Cyber Incident Victim: Interactive Medical Systems
Date:
Jul 2019
Location:
United States of America
Summary
A phishing attack targeting an employee at a former benefits administrator compromised personal data of approximately 1,900 Wake County Government employees. The breach exposed names and partial social security numbers for most affected individuals, while a smaller subset had full social security numbers and addresses disclosed. The incident stemmed from compromised systems at Interactive Medical Systems, not county infrastructure, with unauthorized access persisting for several months before discovery. The administrator notified impacted parties via mail, established a dedicated hotline for inquiries, and offered credit monitoring services to those with fully exposed sensitive data. Security enhancements implemented post-breach included system upgrades, strengthened password protocols, and expanded employee training to mitigate future risks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The data breach involving Interactive Medical Systems (IMS), Wake County's former flexible benefit spending accounts administrator, occurred between July 19, 2019, and December 31, 2019. IMS discovered the incident on December 31, 2019, and subsequently determined that unauthorized third parties had accessed personal information of approximately 1,900 Wake County Government employees through a phishing attack targeting an IMS employee. The breach did not affect Wake County's internal systems or result from actions by county personnel. IMS confirmed the security failure stemmed from compromised employee credentials obtained via phishing, though specific technical details of the attack vector were not disclosed.
Personal data exposed included names and dates of service for most affected employees, along with partial social security numbers. A smaller subset had names, addresses, and full social security numbers compromised. IMS formally notified Wake County of the breach via letter on January 29, 2020, nearly one month after discovery. The company initiated direct mail notifications to impacted individuals and established a dedicated hotline for employee inquiries. Credit monitoring services for one year were offered exclusively to the subgroup with exposed full social security numbers. IMS implemented upgraded security systems, stricter password policies, and enhanced employee security training as corrective measures. Wake County officials emphasized the breach's external origin and confirmed no resident data or additional employee records beyond the 1,900 IMS-managed accounts were compromised.